add support for native image - GRAALVM

[ricardkollcaku]

Currently if we use msk kafka and we want to build a native image (spring boot app)
it will not work because reflected classes are not declared for graalvm to include them in compile time
Would be nice that this configuration would be included in the library

[hajlaoui-nader]

hello @ricardkollcaku, we're facing the same problem, have you found a solution ?

[ricardkollcaku]

@hajlaoui-nader
currently i have manually added reflection configuration in resources using native-agent
I have cleansed the unnecessary stuff that was added by the agent and now it works ok.

[hajlaoui-nader]

thanks @ricardkollcaku. we've done the same and it works:

@RegisterForReflection( targets = {IAMLoginModule.class, IAMClientCallbackHandler.class, IAMSaslClient.ClassLoaderAwareIAMSaslClientFactory.class, IAMSaslClient.IAMSaslClientFactory.class, AuthenticationResponse.class})

PS: we're not using spring-boot

[sivabalachandran]

@hajlaoui-nader I am facing same issue and could you tell me what version of aws-msk-iam-auth did you use? I seem to run into build issues one after another. Thanks a ton.

[hajlaoui-nader]

hello @sivabalachandran, we used the version 1.1.9

[sivabalachandran]

hello @sivabalachandran, we used the version 1.1.9

@hajlaoui-nader With 1.1.9, do you have to initialize anything at runtime using quarkus.native.additional-build-args=--initialize-at-run-time=? I am running into all sort of build issues with java.util.Random being initialized at build time. Thanks again for the help.

[matthenry87]

thanks @ricardkollcaku. we've done the same and it works:

@RegisterForReflection( targets = {IAMLoginModule.class, IAMClientCallbackHandler.class, IAMSaslClient.ClassLoaderAwareIAMSaslClientFactory.class, IAMSaslClient.IAMSaslClientFactory.class, AuthenticationResponse.class})

PS: we're not using spring-boot

Hello all! Couple things -

You will want to add awsDebugCreds=true to your sasl.jaas.config, and you want to turn on DEBUG logging for the software.amazon.msk package. This way you see the full errors+stack traces if/when you need to add hints. Otherwise it just fails silently leaving you scratching your head (typical for security related packages).

I am using EKS IAM Roles for Service Accounts, so I also had to add a hint for com.amazonaws.auth.AWS4Signer (default constructor). I'm going to get with my company to see what hoops I need to jump to contribute native hints to this project.

[ShakeelHussain]

Hi Team,
we are facing the same issue?
will adding the above hints solve runtime/unknown issues?

or something else needed to be done.

[cmtoan]

I have the same probleme with the build native of aws-msk-iam-auth. I configure with
@RegisterForReflection(
targets = {
IAMLoginModule.class,
IAMClientCallbackHandler.class,
IAMSaslClient.ClassLoaderAwareIAMSaslClientFactory.class,
IAMSaslClient.IAMSaslClientFactory.class,
IAMSaslClient.class,
IAMSaslClientProvider.class,
AuthenticationResponse.class,
}
)

and "-H:AdditionalSecurityProviders=software.amazon.msk.auth.iam.internals.IAMSaslClientProvider"

but I have following errors in AWS, do you have the same probleme ?
Caused by: org.apache.kafka.common.errors.SaslAuthenticationException: Failed to configure SaslClientAuthenticator
Caused by: org.apache.kafka.common.errors.SaslAuthenticationException: Failed to create SaslClient with mechanism AWS_MSK_IAM

[jvdadda]

The current library is completely unusable with native (GraalVM / Quarkus), probably because of aws sdk v1 that does not support native

[matthenry87]

The current library is completely unusable with native (GraalVM / Quarkus), probably because of aws sdk v1 that does not support native

I've got it all working. I can share my hints once I'm at my desk.

[jvdadda]

The current library is completely unusable with native (GraalVM / Quarkus), probably because of aws sdk v1 that does not support native

I've got it all working. I can share my hints once I'm at my desk.

It would be wonderful 🙌

[jvdadda]

Hi @matthenry87 can you share you working configuration to make it work ? Thanks a lot

[joseiedo]

Hey! What do you guys think would be the best path to completely solve this issue? I'm not very familiar with migrating these applications to work with native, but I'm willing to help.

Should we try to use Features or this wouldn't work?

I noticed there were some PRs updating the aws sdk, but these issues with reflection are still happening. Maybe we can build an wrapper supporting native...

[jvdadda]

Hi @joseiedo , indeed, with full migration to AWS SDK v2, it is easier to use it with Quarkus. I need to add some configuration (in Kotlin for me):

@RegisterForReflection(
    targets = [
        IAMLoginModule::class,
        IAMClientCallbackHandler::class,
        IAMSaslClient.ClassLoaderAwareIAMSaslClientFactory::class,
        IAMSaslClient.IAMSaslClientFactory::class,
        AuthenticationResponse::class,
    ],
)
class Registration_IamMskAuth

class Feature_IamMskAuth : Feature {
    override fun afterRegistration(access: Feature.AfterRegistrationAccess?) {
        val rci = ImageSingletons.lookup(
            RuntimeClassInitializationSupport::class.java,
        )
        rci.initializeAtRunTime(IAMLoginModule::class.java, "To reconciliate class hashcode")
    }
}

And in Quarkus config (src/main/resources/application.yml):

quarkus:
  native:
    additional-build-args: >
      --features=ly.wide.config.Feature_IamMskAuth